SA-CORE-2025-002 communicates a security issue introduced in Drupal 8+. This functionality in modern Drupal was heavily inspired by Views Bulk Operations, which exposes core Actions to be performed against nodes (and other entities).
A similar issue exists in Drupal 7. While it does not have the concept of permissions around Actions like in Drupal 8+, Views Bulk Operations (VBO) provides an actions_permissions sub-module.
Drupal 7 (and earlier versions) does not have the concept of permissions around Actions. Views that are configured to require the 'administer nodes' permission already require sufficient permissions to use all of the actions and do not need any mitigation.
However, views that are available for users without 'administer nodes' that expose bulk actions should either require the 'administer nodes' permission, or enable the 'actions_permissions' module and configure permissions for each action.
This vulnerability extends to modules that rely on Views Bulk Operations to provide its functionality, such as the Admin Views module.
Solution:
To mitigate this vulnerability, we recommend enabling the actions_permissions module (provided by VBO) and configuring permissions for each action.